Logging Amazon Kinesis Streams API Calls Using
AWS CloudTrail

Amazon Kinesis Streams is integrated with AWS CloudTrail, which captures API calls
made by or on behalf
of Kinesis Streams and delivers the log files to the Amazon S3 bucket that you specify.
The API calls
can be made indirectly by using the Kinesis Streams console or directly by using the
Kinesis Streams API.
Using the information collected by CloudTrail, you can determine what request was
made to
Kinesis Streams, the source IP address from which the request was made, who made the
request, when
it was made, and so on. To learn more about CloudTrail, including how to configure
and enable
it, see the AWS CloudTrail User Guide.

Kinesis Streams and CloudTrail

After you enable CloudTrail logging, calls made to Kinesis Streams actions are tracked
in log
files. Records for Kinesis Streams are written in a log file, together with records
from any
other AWS service enabled for CloudTrail logging. CloudTrail determines when to create
and write
to a new file based on the specified time period and file size.

Each log entry contains information about who generated the request. For example,
if a request is made to create a stream (CreateStream), the user
identity of the person or service that made the request is logged. The user identity
information helps you determine whether the request was made with root or IAM user
credentials, with temporary security credentials for a role or federated user, or
by
another AWS service. For more information, see the userIdentity
Element in the AWS CloudTrail User Guide.

You can store your log files in your bucket for as long as you need to, but you
can also define Amazon S3 lifecycle rules to archive or delete log files automatically.
By default, your log files are encrypted by using Amazon S3 server-side encryption
(SSE).

You can have CloudTrail publish SNS notifications when new log files are delivered
if
you want to take quick action upon log file delivery. For information, see Configuring Amazon SNS
Notifications in the AWS CloudTrail User Guide.

Log File Entries for Kinesis Streams

CloudTrail log files can contain one or more log entries, where each entry is made
up of
multiple JSON-formatted events. A log entry represents a single request from any
source and includes information about the requested action, any parameters, the date
and time of the action, and so on. The log entries are not guaranteed to be in any
particular order. That is, this is not an ordered stack trace of API calls.